Zuora OneID Office Hours: Q&A and API and Service Accounts - May 2024

By Lana Lee posted 05-06-2024 15:30


As part of our ongoing support of our upcoming legacy login deprecation, we are holding monthly OneID office hours with Principal Product Manager, Bharath Marimuthu who was on-hand to answer questions after sharing some best practices from questions asked before the session in the Zuora Administrators group.

View Presentation | Watch Full Video


Things to Do After Onboarding to OneID

Watch video to learn more

  • Do not worry about your existing login, you will have access to your existing credentials for your tenants until August 1st. Your new OneID account will be an additional login to your Zuora applications.
  • Rename your global OneID roles that were imported from your local tenants
  • Import additional user accounts from your local tenants to OneID. Do NOT import API user accounts.
  • Setup SSO and SCIM provisioning in OneID (Optional)
  • Please reach out to Zuora support if you face any issues activating your OneID account or any duplicate user accounts.


API and Service Accounts with OneID

Watch video to learn more

Best practices for migrating API user accounts fall into 3 categories:

  1. API User accounts with Basic Auth
  2. API User accounts with OAuth Tokens
  3. These API user accounts will have API Write Access platform permission and UI Access platform permission both checked.

API and Service Accounts with OneID


Additional references:

Office Hour Questions

Click on the question to jump to the Q&A in the session recording

  1. If an account has an aouth for access to/from another system, but the Platform role that has been assigned is Standard User - if I change the platform role to API user - will that change anything for the user a/c? Should I just change them to an API user platform role?

  2. As an admin user who is on OneId, can I login into local tenant level always or is it time-bounded, for managing API users on Basic Auth?

  3. Will the edit option in admin settings for managers grayed out?

  4. Is there any way that we can avoid multiple migrated roles being created?

  5. Does OneID support two-factor authentication? If our company requires two factor, how will that work with OneID?

  6. Do you know when the account-level oauth token feature will be released in OneID?

  7. We have standard (non-api) users using single-signon through OKTA, and also use OAUTH for the Developers Toolkit option - will that migrate?

  8. Who in the organization will be receiving the Ondeid invite? Will all admins receive it or does it go to a specific contact?

  9. The One ID account is a union of users in all Production and non-production tenants - What is the rollout and timing on the when non-product occurs and when production occurs?

  10. Can you increase the timeout?

  11. What are the best practices when it comes to duplicate accounts that exist within the tenants? For example, a user has three separate accounts in three separate tenants but each has the same work email. Is it possible to connect all three accounts to one OneID account?

  12. Account groups and priorities - does the priority actually make any difference  e.g. first role has view only, next role has some limited write powers - do they get combined or does the view only take precedence over the limited write powers and not give them the limited write powers?

  13. We use 2FA in production. Will the users need to setup 2FA again while setting up their oneId? Any impact to API User 2FAs?

  14. Revenue question: 1) is it intentional that as a OneID user I can't see Security > Users in our local tenants and get a user export?  2) If so, it creates an issue because we need Zuora's local tenant user reports for audit purposes (especially since we're not migrating our API users). I'm not able to export access for all users that are actually provisioned in production

  15. Anything we need to be aware of for tenant with multi-entity enabled? I understand entity id would not change?

  16. We are going to have to work with our Okta team for this migration and to update their processes for future users.  Is there a specific team we should refer them to if/when questions arise or go through our CSM or the regular service mailbox?

  17. After completing a refresh of our central sandbox, we saw inactive OneID users have their accounts duplicated in OneID, and several MigrationGenerated user roles appear in OneID for our central sandbox. How can we prevent this strange behavior when performing sandbox refreshes going forward?

  18. What is the utilization flag?

  19. When we enable a single sign on in one Id for a new user, should that drive the one id flag in the local tenant to be checked as yes to, or should those be treated as 2 separate concepts?

  20. Can we rename the tiles?

Continue Your OneID Journey with Others

Exploring new Zuora features collaboratively with the guidance of a product manager is ideal which is why we’re starting OneID conversations in the Zuora Administrators community group.  There you can ask questions and get answers from like-minded users and Zuora experts who’ve “been there and done that” so that you won’t have to reinvent the wheel and also have discussions that are admin-specific.  Hope to see you there!